diff options
Diffstat (limited to 'straper/db/public/apparmor/apparmor.d/abstractions/ubuntu-helpers')
| -rw-r--r-- | straper/db/public/apparmor/apparmor.d/abstractions/ubuntu-helpers | 98 |
1 files changed, 0 insertions, 98 deletions
diff --git a/straper/db/public/apparmor/apparmor.d/abstractions/ubuntu-helpers b/straper/db/public/apparmor/apparmor.d/abstractions/ubuntu-helpers deleted file mode 100644 index d5f2243..0000000 --- a/straper/db/public/apparmor/apparmor.d/abstractions/ubuntu-helpers +++ /dev/null @@ -1,98 +0,0 @@ -# Lenient profile that is intended to be used when 'Ux' is desired but -# does not provide enough environment sanitizing. This effectively is an -# open profile that blacklists certain known dangerous files and also -# does not allow any capabilities. For example, it will not allow 'm' on files -# owned be the user invoking the program. While this provides some additional -# protection, please use with care as applications running under this profile -# are effectively running without any AppArmor protection. Use this profile -# only if the process absolutely must be run (effectively) unconfined. -# -# Usage: -# Because this abstraction defines the sanitized_helper profile, it must only -# be included once. Therefore this abstraction should typically not be -# included in other abstractions so as to avoid parser errors regarding -# multiple definitions. -# -# Limitations: -# 1. This does not work for root owned processes, because of the way we use -# owner matching in the sanitized helper. We could do a better job with -# this to support root, but it would make the policy harder to understand -# and going unconfined as root is not desirable any way. -# -# 2. For this sanitized_helper to work, the program running in the sanitized -# environment must open symlinks directly in order for AppArmor to mediate -# it. This is confirmed to work with: -# - compiled code which can load shared libraries -# - python imports -# It is known not to work with: -# - perl includes -# 3. Sanitizing ruby and java -# -# Use at your own risk. This profile was developed as an interim workaround for -# LP: #851986 until AppArmor utilizes proper environment filtering. - - abi <abi/4.0>, - -profile sanitized_helper { - include <abstractions/base> - include <abstractions/X> - include if exists <local/ubuntu-helpers> - - # Allow all networking - network inet, - network inet6, - - # Allow all DBus communications - include <abstractions/dbus-session-strict> - include <abstractions/dbus-strict> - dbus, - - # Needed for Google Chrome - ptrace (trace) peer=**//sanitized_helper, - - # Allow exec of anything, but under this profile. Allow transition - # to other profiles if they exist. - /{usr/,usr/local/,}{bin,sbin}/* Pixr, - - # Allow exec of libexec applications in /usr/lib* and /usr/local/lib* - /usr/{,local/}lib*/{,**/}* Pixr, - - # Allow exec of software-center scripts. We may need to allow wider - # permissions for /usr/share, but for now just do this. (LP: #972367) - /usr/share/software-center/* Pixr, - - # Allow exec of texlive font build scripts (LP: #1010909) - /usr/share/texlive/texmf{,-dist}/web2c/{,**/}* Pixr, - - # While the chromium and chrome sandboxes are setuid root, they only link - # in limited libraries so glibc's secure execution should be enough to not - # require the santized_helper (ie, LD_PRELOAD will only use standard system - # paths (man ld.so)). - /usr/lib/chromium-browser/chromium-browser-sandbox PUxr, - /usr/lib/chromium{,-browser}/chrome-sandbox PUxr, - /opt/google/chrome{,-beta,-unstable}/chrome-sandbox PUxr, - /opt/google/chrome{,-beta,-unstable}/google-chrome Pixr, - /opt/google/chrome{,-beta,-unstable}/chrome Pixr, - /opt/google/chrome{,-beta,-unstable}/chrome_crashpad_handler Pixr, - /opt/google/chrome{,-beta,-unstable}/{,**/}lib*.so{,.*} m, - - # The same is needed for Brave - /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome-sandbox PUxr, - /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Pixr, - /opt/brave.com/brave{,-beta,-dev,-nightly}/brave Pixr, - /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome_crashpad_handler Pixr, - /opt/brave.com/brave{,-beta,-dev,-nightly}/{,**/}lib*.so{,.*} m, - - # Allow running snap applications - # https://bugs.launchpad.net/apparmor/+bug/2095872 - /usr/bin/snap ux, - - # Full access - / r, - /** rwkl, - /{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m, - - # Dangerous files - audit deny owner /**/* m, # compiled libraries - audit deny owner /**/*.py* r, # python imports -} |
